Siege Cyber's phishing simulation experts based in Brisbane, Australia
Blog

Is Penetration Testing Required for SOC 2? What You Actually Need to Know

It is one of the most common questions we get from Australian businesses working through their SOC 2 journey: do we actually need a penetration test? The short answer is no, not explicitly. The practical answer is that SOC 2 penetration testing is expected by virtually every auditor, and without it, your audit will be harder, your evidence will be weaker, and your customers will ask why it is missing.

This guide explains exactly what the standard requires, what auditors actually look for, and how to make your pen test count for your SOC 2 audit rather than just ticking a box.

 

What Is Penetration Testing and Why Does It Come Up in SOC 2?

A penetration test is an authorised, simulated cyberattack carried out by a security professional. The tester uses real-world attack techniques to find vulnerabilities in your systems, attempts to exploit them, and produces a report documenting what was found, how far they got, and what you need to fix.

SOC 2 is built around the AICPA’s Trust Services Criteria, and two specific criteria make penetration testing highly relevant. CC4.1 requires organisations to identify and assess risk to their security objectives. CC7.1 requires them to evaluate whether their controls are actually working. A properly scoped penetration test is the most direct and credible way to satisfy both. Auditors know this, and they expect to see it.

 

What the SOC 2 Standard Actually Says

SOC 2 does not include a clause that says “you must conduct a penetration test”. The framework is intentionally flexible, allowing organisations to demonstrate control effectiveness in ways proportionate to their risk environment.

But here is what happens in practice. Auditors arrive at your Type II audit and ask how you evaluate whether your security controls are working. If your answer involves only documentation and automated vulnerability scans, you will face hard follow-up questions. A penetration test, with documented findings, remediation, and a retest, is the evidence that closes that loop cleanly. Organisations without one consistently receive qualified audit opinions or identified control gaps.

Think of it this way: the standard does not require penetration testing the same way a road does not require a seatbelt. But if something goes wrong and you were not wearing one, the absence will be noticed.

 

SOC 2 Type I vs Type II: Does the Expectation Change?

For a SOC 2 Type I report, which assesses your controls at a single point in time, a pen test strengthens your evidence but the expectation is less rigid. The auditor is primarily reviewing whether your controls are designed correctly, not whether they have been tested under adversarial conditions.

For a SOC 2 Type II report, which covers a six to twelve month monitoring period, SOC 2 penetration testing is effectively non-negotiable if you want a clean audit. Auditors will ask for evidence that testing occurred during the audit period, that findings were remediated, and that a retest confirmed the remediation was effective. The expectation is not just that a test happened, but that your organisation treats security testing as an ongoing programme, not a one-time event.

The practical implication: if you are planning a Type II report, commission your penetration test early enough in the audit period that you have time to remediate and retest before the audit window closes.

If you are working toward SOC 2 and unsure whether your current security controls would hold up under testing, a gap assessment is the right first step. Siege Cyber includes gap analysis, risk assessment, and internal audit preparation in our CERTIFY package, so you understand exactly where you stand before you engage an auditor. Learn more about our SOC 2 services here.

Siege Cyber's phishing simulation experts based in Brisbane, Australia

 

What Scope Does Your SOC 2 Pen Test Need to Cover?

This is where a lot of businesses get it wrong. They commission a test that is too narrow, it does not cover the systems in their SOC 2 boundary, and the auditor flags it as insufficient evidence.

For SOC 2, your penetration test should cover the systems that are in scope for your audit. That typically includes:

  • Your primary product or platform, particularly any customer-facing web application or SaaS interface

  • APIs and microservices that handle customer data or authentication

  • Administrative panels and internal tools that support your production environment

  • Cloud infrastructure hosting your in-scope systems

  • Internal network and critical servers, where relevant to your control environment

Getting the scoping right before you engage a tester saves time, money, and the frustration of needing to redo work the auditor has already reviewed.

 

Vanta Penetration Testing: How It Works in Practice

If you are using Vanta to manage your SOC 2 programme, you will have noticed that penetration testing comes up as a required evidence item. Vanta penetration testing requirements are clear: the platform expects you to upload a signed, dated penetration test report covering your in-scope systems, along with evidence of remediation for any findings.

Vanta does not conduct penetration tests itself. It is a compliance automation platform that monitors your controls, collects evidence, and helps you stay audit-ready year-round. But the actual test needs to be conducted by a qualified third-party provider, and the report needs to meet the auditor’s expectations in terms of scope, methodology, and findings documentation.

Siege Cyber is an official Vanta partner. We work regularly with Australian businesses that have purchased Vanta and need a pen test that will actually satisfy the evidence requirements in the platform and hold up under auditor scrutiny. If you have been told you need to upload a pen test report to Vanta and are not sure how to proceed, that is exactly the kind of situation we handle.

 

What Makes a SOC 2 Pen Test Report Useful to an Auditor?

Not all penetration test reports are equal, and auditors can tell the difference between a thorough engagement and a rushed automated scan with a report attached.

A good SOC 2 penetration testing report includes:

  • A clear description of the scope and methodology used

  • The dates the testing was conducted (auditors need to verify it falls within the audit period)

  • Risk-rated findings with enough detail to understand the real-world impact

  • Evidence of exploitation attempts, not just a list of detected vulnerabilities

  • Remediation recommendations that are specific and actionable

  • A retest summary confirming which findings were resolved

Auditors also increasingly look for evidence that your organisation acted on the findings. A report that is uploaded and filed away without remediation tells a different story than one accompanied by documented corrective actions and a retest.

How Siege Cyber Packages Pen Testing for Compliance Programmes

Siege Cyber’s CERTIFY package is designed for Australian businesses pursuing a single compliance framework, including SOC 2, with a fixed monthly cost and no surprise invoices. For $4,750 per month on a 12-month subscription, the package includes:

  • Gap analysis and risk assessment

  • Customised policy development

  • Ongoing compliance support

  • Incident response planning

  • Internal audit preparation

  • Management Committee meeting facilitation

  • Quarterly external vulnerability scanning

Penetration testing is available as an optional add-on at a discounted rate for CERTIFY clients, meaning you can run your full compliance programme and your pen test under one coordinated engagement. That matters because a test that is scoped in isolation from your compliance work often covers the wrong systems or uses the wrong timing.

You can view full pricing details here.

 

What Is Penetration Testing Going to Cost Me?

For Australian businesses, a web application or external network penetration test scoped for SOC 2 compliance typically falls in the AUD $8,000 to $20,000 range, depending on the complexity of your environment and the number of applications in scope. A combined web application and internal network test will naturally cost more.

The most important thing to remember is that a cheap test that does not satisfy your auditor is not actually cheaper. Getting the scope right, engaging a qualified tester, and producing documentation that holds up under review is worth the investment.

 

Ready to Get Your Pen Test Right the First Time?

Siege Cyber conducts SOC 2-aligned penetration testing for Australian businesses, with plain-English reports, clear remediation guidance, and retesting included. Whether you are working through Vanta, Drata, or managing your SOC 2 programme independently, we can scope and deliver a test that satisfies your auditor and gives your team something useful to act on.

Visit https://siegecyber.com.au/services/soc2/ to learn more about our compliance services, or email us at [email protected] to discuss what a properly scoped engagement looks like for your environment. We will get back to you within one business day.